Create an APT1 feed

Mandiant recently published a report that many of you may have read. This report included an appendix which lists hundreds of domains and IP ranges associated with investigations into a threat actor called "APT1". If you are using NetWitness Live subscription chances are you already have these domains and IPs listed as malicious. However, I thought it would be a good exercise to build my own feed from the Mandiant AP1 appendix information.

I decided to create a feed for the APT1 domains because there are over 2000 of them. It is possible to create lists in Informer to alert on domains but these should be limited to a few dozen or so. A large feed, on the other hand, can create meta at the Decoder with little effort. This is a better option when dealing with large numbers of domains or IP addresses.

A feed is built using a CSV file and a bit of XML. Both files are attached so you have an example.

Create your feed

First, create the XML file that calls back the alias.host meta. This will create an alert (Mandiant_APT1_Domain) when the alias.host meta matches something from our CSV index column.

The CSV file can be put together easily in Excel using the Mandiant APT1 provided file Appendix D (Digital) - FQDNs.txt. Just add a column for the alert name that you want to see. This must align to the <Field index="2" type="value" key="alert"/> from your XML.

Now save your XML and CSV files together and give them a common name. e.g. Mandiant_APT1_Domain.csv and Mandiant_APT1_Domain.xml

Compile your feed

Compiling these files into a feed can be done many ways.

If you are using Live the easiest way is to drop the two files into a directory that will automatically build a Mandiant_APT1_Domain.feed file and publish it to any Decoders. By default the path is C:\Program Files (x86)\NetWitness\NetWitnes Live Manager\outgoing\devices\[decoder IP]\customfeeds\. If your XML and CSV file are correctly formatted they will be compiled by an automated process in Live and pushed out to the Decoder.

If you are not using Live the other way to test and build your feed is using the NwConsole command. This can be done locally on a Windows PC where you have installed Investigator. Copy the XML and CSV files to your NetWitness Investigator directory e.g. C:\Program Files\NetWitness\NetWitness 9.8\ and start a command prompt.

NwConsole.exe

> feed create Mandiant_APT1_Domain.xml

As seen in the screen shot above, the 2046 value returned in the output should correspond to the number of entries in your CSV file. If not, check your XML and CSV for errors.

Publish your feed

Now that you have made a Mandiant_APT1_Domain.feed file it is necessary to copy this to your Decoders for it to produce meta. You can Secure Copy (SCP) this over using something like WinSCP. Easier yet is to use NetWitness Administrator to copy up the file using the GUI.

Refresh the parser

One last step is required to tell the Decoder to make use of the new feed.

From NetWitness Administrator, connect to and open the Decoder service.

Navigate to the Console tab.

Issue the following command to reload feeds on the Decoder:

/decoder/parsers feed op=notify

That is about it. If your network traffic ever creates meta for alias.host that belongs on your Mandiant_APT1_Domain.feed you will produce a new alert called Mandiant_APT1_Domain.

If I wanted alerts for any subdomain's of this list, could I change to 'truncdomain="true"' to accomplish this task? It is my understanding that 'truncdomain' ignores everything after the second level; is that correct or am I way off?

My understanding of the truncdomain=true is the same as yours. If the list includes site.blah.com and truncdomain=true is set then alerts will be generated for any blah.com domain. So, users visiting www.blah.com or ftp.blah.com will both trigger the alert.

This is a useful idea for many of the sites on the list. The exception is with dynamic DNS providers that make use of a common domain or large Content Delivery Networks (CDN). e.g. hackersRus.dyndns.org

Domain Type Searches: (With sub-domains and without)

To perform other types of searches such as hostnames/domains, you will need a MetaCallback tag: See example: (Note: The MetaCallback tag is only used when searching for alias.host meta)

If truncdomain="true" is set to true, then you will also see sub-domains listed under the Meta name you defined in the csv file

apptype="0" - This is the service port by protocol not by port: http=80

A deeper look into FEEDs can be found in the NW Administrator Manual pg. 250. (Can be opened by pressing F1 within NW Administrator)

The node names which are just the tags can be referenced in pg. 252 of the NW Administrator Manual